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Abstract 



In the polymorphic A-calculus, one may explicitly define functions that take a type as input and 
return a term as output. This work focuses on how such functions depend on their input types. 
Indeed, these functions are generally understood to have an essentially constant meaning on 
input types. We show how the proof theory of the polymorphic A-calculus suggests a clear 
syntactic description of this phenomenon. Namely, under a reasonable condition, we show that 
if two polymorphic functions agree on an input type, then they are, in fact, the same function. 
Equivalently, types are generic inputs to polymorphic functions. 



Resume 



Dans le A-calcul polymorphe, on peut explicitement defmir des fonctions qui prennent un 
type comme argument et qui renvoient un terme comme resultat. Le but de ce travail est 
de mieux comprendre la dependance de ces fonctions vis-a-vis de leurs arguments types. En 
effet, ces fonctions sont generalement considerees comme etant essentiellement constantes par 
rapport aux arguments types. Nous montrons que la theorie syntaxique du A-calcul polymorphe 
suggere une description claire de ce phenomene : sous une condition raisonnable, si deux 
fonctions polymorphes s'accordent sur un seul type, elles sont identiques. Autrement dit, les 
types sont des arguments generiques aux fonctions polymorphes. 
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1 Introduction 

The use of types as explicit parameters, or variable types, is at the core of polymorphic 
(functional) languages, and was introduced, in Logic, by Girard [Gir71] and, in Computer 
Science, by Reynolds [Rey74]. The idea is that one may define formal functions that explicitly 
depend on input types. In A-calculus notation, where capital X, Y, ... stand for type variables, 
one may construct terms such as XX. M which may be fed a type as input and give a term as 
output (in Logic jargon, XX. M is a second-order term in impredicative Type Theory). 

Originating with remarks by Strachey [Str67], a distinction was introduced on how these 
explicitly polymorphic functions should behave. Indeed, in computing, programs may depend 
on types. Overloaded functions, for example, may call different code according to the input 
type (or to the type of the input): + uses different code according to whether the addition is 
performed on (the type of) reals or integers, say. This sort of dependency of terms on types, 
known as ad hoc polymorphism, is an expressive feature of some programming languages, in 
particular when handled at run-time, and may suggest interesting and general formal systems 
(see [CGL92], say). 

According to Strachey (and Reynolds) then, "proper" polymorphism, as opposed to the ad 
hoc variety, is the property that second-order terms have a uniform dependency on input 
types, or that their output terms do not "essentially" depend on input types. Note, though, 
that the output terms of, say, XX. M applied to types a and r, i.e., (XX.M)a and (XX.M)t, 
need not live in the same type. The point then is to understand how core systems, such as 
Girard-Reynolds system F [Gir71, Rey74] (also known as second-order A-calculus), realize 
this uniform dependency property, known as parametricity, and compare terms possibly living 
in different types; more generally, to understand the functional behavior of formal functions 
such as XX. M. 

A semantic criterion for parametricity was proposed by Reynolds [Rey83, MR91] as an 
invariance property under relations between type values. In short, if a relation is given on type 
parameters a and r, then (the interpretation of) XX. M, applied to (the meaning of) a and r, 
should send related elements of a and r to related elements in the types of the outputs. This 
is known as relational parametricity, and a syntactic treatment of it is given in [ACC93] and 
in [PA93]. 

Another approach to parametricity was proposed by Bainbridge et al. [BFSS90]. Consider 
Aa: : X.N . Is it the case that Aa: : X.N depends naturally on X, in the sense of natural 
transformations of Category Theory? Indeed, natural transformations are the core means of 
expressing uniformity on objects (as interpretation of types) in categories. Unfortunately, 
natural transformations act on functors, whereas, in general categories, variable types are not 
functors. The counterexample is straightforward: the map from X to X — > X (the arrow 
type) should be at once a covariant and contravariant functor. A partial solution, in the 
context of the typed A-calculus, may be given by considering categories where maps are only 
retractions (as in [Sco72, SP82, Gir86]) or isomorphisms (as in [DL89]). This is fine for 
specific purposes, as in those papers, but does not describe the situation in the full generality 
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of a model theoretic approach. On the other hand, this issue of contra/covariant functors was 
partly at the origin of relevant generalizations of the notion of functor in mathematics, for 
example [EK66]; see also [Mac71]. In this line of work, Bainbridge et al. propose to interpret 
terms as dinatural transformations, yet another elegant categorical notion derived from tensor 
algebra and algebraic topology. The rub is that, in general, dinatural transformations do not 
compose, while terms do; however, the interpretation works well (i.e., it is compositional) 
on relevant models (see [BFSS90, FGSS88, GSS]), in particular on models of relational 
parametricity as formalized in [PA93]. On essentially similar lines, Freyd suggested a novel 
notion of structor in order to understand, categorically, the notion of uniformity inherent in 
second-order A-terms. 

These attempts suggested brand new constructions and relevant mathematics, but seem still 
insufficient to fill the essential gap between the parametricity of second-order A-calculus and 
the uniformity with respect to objects (and functors) as expressed by natural transformations in 
Category Theory. This is probably one of the few mismatches (together with subtyping versus 
subobjects) out of many deep connections between types and objects, terms and morphisms, 
as summarized, say, in [AL91] and [LS86]. A survey and a classification of the various forms 
of parametricity is proposed in [Lon93]. 

In this paper, we consider a weak extension of system F, suggested by the following simple 
result of Girard in [Gir7 1] : given a type a, if one takes a term J CT such that, for any type r, J a r 
reduces to 1 if a = r, and reduces to 0 if a ^ r, then F+ J CT does not normalize. Since system 
F normalizes, J a is not definable in F. The point here is that the polymorphic term J a gives 
essentially different output terms, which live in the same type, according to the (values of the) 
input types. Then, a first point in our understanding of parametricity is that a polymorphic 
term that gives outputs in the same type for all input types, must be constant. This is expressed 
by the following equational scheme: 

(Axiom C) Mt = Mr' for T h M : VX.<r and X £ FV(a) 

That is, if the outputs of a polymorphic term M, applied to any type, all live in the same 
type, then these outputs are simply equal. Axiom C is not provable in F, but it is compatible 
with F, that is, system F may be consistently extended with it. Indeed, a generalization of 
Axiom C appears in the system F <: [CMMS91] which extends system F with subtyping; see 
rule Eq appl2. In our view, the compatibility of Axiom C with system F is one thing to 
be noted in order to understand parametricity. Moreover, all models that yield the dinatural 
interpretation of terms in [BFSS90] realize Axiom C, as do PER models in realizability 
topoi and Girard's models over dl-domains and stable maps. From [ACC93] and [Has93], 
it also turns out that Axiom C is realized by all models that satisfy Reynolds's relational 
parametricity condition [MR91]. A categorical characterization of models realizing Axiom C 
will be outlined in Section 10. 

Consider now Fc, the extension of system F with Axiom C. The main result of this paper is the 
following theorem: 
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(Genericity Theorem) Assume M and N live in the same type \/X.a 

If Mr =f c Nt for some type r, then M =p c N 

The reader should notice where intended parentheses and existential quantification are located, 
and also, that there is no restriction on a. The Genericity Theorem states the rather strong fact 
that, in Fc, if two second-order terms coincide on an input type, then they are, in fact, the same 
function. Or, equivalently, that each input type acts as a generic input, as a variable. It also 
says, in a sense, that there are "very few" polymorphic functions. Note that the Genericity 
Theorem does not hold in F. Take, for example, x : VX.cr with X £ FV(<r), and consider 
M = XX. xt and N = XX. xX, both of type VX.cr. Then, Mr = F Nt but M and N are 
not F-equal. Indeed, as pointed out by Furio Honsell and one of the referees, it is easy to show 
that Fc is the least equational extension of F which yields the Genericity Theorem. 

Observe finally that, although all models of relational parametricity realize Axiom C, it may 
be shown that no such model realizes Genericity as an implication. This is a delicate issue, 
hinted at in Section 10 and discussed extensively in [Lon93]. In the following sections, we 
recall system F and introduce our syntactic conventions, describe system Fc, and prove the 
Genericity Theorem. 

2 System F 

The language of system F consists of types and terms. A type is either a type variable, a 
function type, or a polymorphic type, while a term is either a variable, an abstraction, an 
application, a type abstraction, or a type application. Types and terms have the following 
syntax: 



We will use a, r, p, p, v for types and M, N for terms, while for variables, we will use X, 
Y, Z for type variables and x, y, z for term variables. Following the usual conventions for 
minimizing parentheses, applications associate to the left, — > associates to the right, and the 
scope of V and A extends as far to the right as possible. For any type or term P, the set of 
its free (type and term) variables is defined as usual, and written FV(P). Capture-avoiding 
type substitution and term substitution is also defined as usual on types and terms, and written 
[t/X]P and [M/x]P, respectively. 

Assignment of types to terms takes place relative to a set of variable declarations, where each 
declaration assigns a unique type to a term variable. We will use T for a set of declarations, 
and we write r, x : a to extend T with a new declaration x : a, where x must not occur in 
r. The substitution of a type in a set of declarations, [t/X]T, is defined component-wise as 
substitution into the type of each declaration in T. 



Types 
Terms 



a ::= X 
M ::- x 



a — > r | \/X.a 
Xx:a.M I MN 



XX.M I Mt 
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A type assignment is a meta-expression of the form r h M : a, which asserts that term M 
has, or lives in, type a, relative to the declarations in F. The following rules define valid type 
assignments. 



Type Assignment Rules 



(declaration) 
(—> -intra) 

*(V-intro) 



T, x : a h x : a 



T, x :<t h M : r 
T h Xx:a.M : a -> r 

T \- M : a 
T h AX.M : VX.o- 
* for X not free in the type of 
any free term variable in M 



(— >-elim) 



(V-elim) 



T h MN : t 



T h M : VX.o- 
rh Mr : [r/X]<7 



Note the restriction on the V-intro rule: without it, it would be possible to prove inconsistencies 
such as x : Y h x : Z. This restriction will show up frequently later. 

Equality of terms is defined by the following schemes and rules: 

Equational Schemes and Rules 

(J3i) (Xx:a.M)N = [N/x]M (fi 2 ) (AX.M)r = [t/X]M 

(171) Xx:a.Mx = M for x £ FV(M) (t? 2 ) XX. MX = M for X $ FV(M) 
M = N M = N 



(6) 



Xx:a.M = Xx:a.N 



(6) 



XX.M = XX.N 



(apPi) 



Mi = M 2 N\ = N 2 
M\N\ = M 2 N 2 



(app 2 ) 



M - N 
Mt = Nt 



(refl) M = M 



(sym) 



Mi = M 2 
M 2 = Mi 



(trans) 



Mi - M 2 M 2 - M 3 
Mi = M 3 



We will use the symbol = for syntactic identity. For types, a = r is the same as a = r while, 
for terms, M = N implies M - N but not vice-versa. 

Reduction of terms is defined as usual by the closure of the following rules: 

(/3i) (Xx:a.M)N -^^ [N/x]M (fi 2 ) (XX.M)r — ft [r/X]M 

(771) Xx:a.Mx — > m M for x £ FV(M) (t? 2 ) XX. MX — > m M forX g FV(M) 

We will write — >^ for the union of these reductions. 
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The following important properties hold for system F. 
Unique Typing 

A well-typed term lives in a unique type: if F h M : a and F h M : r then a = r. 
Strong Normalization 

There are no infinite reduction sequences from well-typed terms. 
Church-Rosser 

If M — > p Mi and M — > p M2 then there exists an Mq such that Mi — > p Mq and 

M 2 >F Mq. 

Equational Church-Rosser 

If Mi - M2 then there exists an Mq such that Mi — > p Mq and M2 — > f Mq. 

3 System Fc 

System Fc is formed by adding the following equational scheme to system F: 

(Axiom C) Mt = Mr' for F h M : VX.<r and X £ FV(&) 

That is, if the outputs of polymorphic function M live in a type a that does not depend on 
M's input type, then the outputs are equal, regardless of the input type. Or, equivalently, M is 
constant. 

Axiom C equates more terms than in system F. We will write M -f N for F-equations, and 
M =Fc N for Fc-equations. Clearly, Axiom C is not provable in system F. Take x : MX.a 
with X £ FV(a), and apply Axiom C to x. This gives 

XT =Fc X P 

These two terms would be equated in system F only if r = p. 

Since system Fc adds no new terms, types, typing rules, or reductions, it enjoys the same 
non-equational properties as system F, such as unique typing of terms, as well as strong 
normalization and the Church-Rosser property (relative to — >p ). However, a number of 
equational properties fail for Fc, in particular, the equational Church-Rosser property: for 
example, even though xt -p c %P above, there is no common term to which both xt and xp 
reduce. 

In the proof of the Genericity Theorem, it will generally be more convenient to use a term 
with a type substitution structure such as [t/X]M instead of a polymorphic application Mt. 
Thus, we may use the following formulation of Axiom C: 

(Axiom C*) [t/X]M = [t'/X]M for F h M : a and X £ FV(F) U FV(&) 

It is simple to prove that Axiom C and Axiom C* are equivalent. We give the proof to stress 
the extra side-condition X £ FV(F) on Axiom C* and its relation to the side-condition on 
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V-introduction. These conditions will appear frequently in the later proofs. We will write 
M - c N and M - c * N if M and N are equal by only applications of Axiom C and Axiom C* 
respectively. 

Remark: Axiom C* is equivalent to Axiom C. 

Axiom C implies Axiom C*: 

Assume that T h M : a and X £ FV(T) U FV(a). 

Since X (fc FV(T), then X is not free in the type of any free term variable in M. 
So, by V-intro, T h XX. M : yx.tr. Also, X $ FV(a). 

Thus, by Axiom C and f3 2 , [t/X]M =p 2 (XX.M)t = c (AX.M)r' = ft [t'/X]M. 
Axiom C* implies Axiom C: 

Assume that r h M : VX.<t and X £ FV(a). 

Let Z be a fresh variable. Then, T h MZ : a and Z is not free in any of T, M, a. 

Thus, by Axiom C*, Mr = [t/Z](MZ) = c . [t'/Z](MZ) = Mr'. | 

4 Roadmap to the Proof of Genericity 

In this section, we outline the route to the proof of the Genericity Theorem: 

Assume M and N live in the same type \/X.a 
If Mr =f c Nt for some type r, then M =p c N 

The hard part is to prove the following Main Lemma, which is a substitution formulation of 
the Theorem: 

Assume M and N live in the same type a 

If [t/X]M - Fc [t/X]N for some type t, then M - Fc N 

The first remark to be made about the proof is that it is not an induction. The point is that 
corresponding subterms of Fc-equal terms do not need to live in the same type. The following 
example illustrates why. 

Example: Assume x : VY.Y and z : VYi.VYi-Yi -> Y 2 . 
Let X and Z be fresh type variables. 

Then, Axiom C* can be applied to the term zZX(xZ) : X to obtain 

ZTX(XT) -f c ZpX{xp) 

Note that subterms ztX and zpX live in different types. 

However, this example also provides a hint to the proof of Genericity. Observe that the 
Fc-equality ztX{xt) -p c zpX(xp) is obtained via the intermediate term zZX(xZ) to 
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which Axiom C* is applied. Furthermore, ztX(xt) and zpX(xp) are both instances of this 
term, using type substitutions [r /Z] and [p /Z] respectively. Approximately then, the hint is 
this: given two Fc-equal terms, construct a common term that can be instantiated to the two 
terms by type substitutions, and to which Axiom C* can be applied. 

The proof thus begins in Section 5 by developing the notion of a generalizer for second-order 
terms. This is a novel idea for the polymorphic A-calculus, although it is, of course, related 
to generalizers and anti-unifiers of first-order calculi. Given two second-order terms that are 
identified by type substitutions, we construct a common term that can be instantiated, by type 
substitutions, to the original terms. Similarly, we can construct a common type that can be 
instantiated, by type substitutions, to two given types. Furthermore, if the two terms live in 
two different types, then the generalizer of the terms lives in the generalizer of the types. Note 
that this notion of generalizer uses type substitutions, not term substitutions (as is usual for 
first-order terms). 

In Section 6, we use generalizers to prove the following Weak Genericity theorem: 

Assume M and N live in the same type a 

If [t/X]M = f [t/X]N for some typer, then M - Fc N 

The weakness arises because an F-equality is used in the premise instead of an Fc-equality. 
This theorem is used in the final result, and it marks an important halfway-point in the overall 
proof. 

The proof proceeds next with a property of C* -equality that we call Quasi-Genericity: if a term 
has a type substitution structure (is of the form [t/X]M) and Axiom C* is applied to it, then 
that exact type substitution structure is preserved, that is, the result is of the form [t/X]N, 
and, moreover, M - c * N . The proof of this also uses generalizers and is given in Section 7, 
where we also give a counter-example to show that F-equality does not satisfy this property. 
Using Quasi-Genericity, we are able to prove another weak version of Genericity, this time 
with C* -equality in the premise instead of Fc-equality: 

Assume M and N live in the same type a 

If [t/X]M = c * [t/X]N for some typer, then M = Fc N 

Finally, in Section 9, we draw all the pieces together to prove the Main Lemma. This involves 
examining the chain of F and C* -equalities [t/X]M - Fc b~/X]N. Unfortunately, F-equality 
and C* -equality do not commute, but, in Section 8, we show that forward Piforji reduction (but 
not 772 reduction) commutes with C* -equality. Using this fact, the Church-Rosser property for 
F-reductions, and Quasi-Genericity of C*-equality, we "push" the [t/X] substitution structure 
from [t/X]M through the chain so that each node in the chain has the form [t/X]M{ for 
some M{ with M - Fc Mi. Finally, we use Weak Genericity of F and C* -equality to show that 
the final node [t/X]N in the chain is such that M - Fc N . This gives the Genericity result. 



Research Report No. 21 



December 1992 



8 



Giuseppe Longo, Kathleen Milsted, and Sergei Soloviev 



5 Type and Term Generalizers 

In this section, we construct a notion of generalizer for types and terms. In short, a generalizer 
of two types (terms) may be instantiated, using type substitutions, to the two types (terms), 
under suitable conditions. Generalizers are used in later sections, where we show that, in the 
case of term generalizers, the typing of the generalizer permits Axiom C* to be applied to it, 
resulting in Fc-equality of the two terms. 

As motivation, consider two terms Mi and M2 such that [t/X]M\ = [p/Y]M2- Then, 
approximately, a generalizer of Mi and M2, with respect to a fresh type variable Z, is a term 
Mo such that, for suitable types fii,fi2- 

[fii/Z]M 0 = Mi 
[fi 2 /Z]M 0 = M 2 

In other words, if two terms can be unified as above, then we construct a common "term 
schema" which can be instantiated, by type substitutions, to both of them. This is an abstract 
notion of a generalizer though, and the generalizers that we construct here require more details, 
including an analysis of occurrences of r in p or p in r. 

Definition: ink 

If there are k > 0 occurrences of type r in type p, we will write r ink P- 
Definition: Context 

Let t, p, p' be types and let X be a type variable. We say that p' is an X -context for r in p if 
[r/X]p' = p. 

If r ink P with k > 0, then, given fresh X, there are 2 k different X -contexts for r in p. 
We will assume given an enumeration of these contexts, which we will write as pf , . . . ,pf 
where h = 2 k . By convention, we take pf to be p. For example, if r = p, then there are two 
X -contexts for r in p: pf - p and pf = X . 

Substitution Convention 

Let Pi, P2 be either two terms, or two types, or two sets of variable declarations. 

If [t/X]Pi = [p/Y]P2 for some types r and p, then we will assume, with no loss of 

generality, that, by variable renaming, X and Y are not free in r and p. 
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Definition: Generalizer 

Let P\ , P 2 be either two terms, or two types, or two sets of variable declarations, such that 
[t/X]P\ = [p/Y]P2 for some types t and p. 

• Case: r ink pfork > 0. 

Let h = 2 k . Given fresh type variables Zq, . . . , Zh, we say that Pq is a Zq, . . . , Zh- 
generalizer of P\ and Pi iff X and Y are not free in Pq and 

[X/Z 0 , pf/Z u pllZ h ]P 0 = Pi 
[ t/Z q , Y/Z u Y/Z h ]P 0 = P 2 

where pf ,p^ are the X -contexts for r in p. 

• Case: p ink T for k > 0 and the previous case does not apply. 

Let h = 2 k . Given fresh type variables Zq, . . . , Zh, we say that Pq is a Zq, . . . , Zh- 
generalizer of P\ and P2 iff X and Y are not free in Pq and 

[ p/Zq, x/z u X/Z h ]P 0 = P 1 
[Y/Zq, tJIZ u rllZ h ]P Q = P 2 

where tJ , . . . , t% are the Y -contexts for p in r. 
Observe that, if r = p, then the first case of the definition applies, by r in\ p, giving 

[X/Z 0 , p/Zu X/Z 2 ]P 0 = Pi 
[ t/Zq, Y/Z u Y/Z 2 ]P 0 = P 2 

If r and p are unrelated (i.e., they do not occur in each other), then the second case applies, by 
p inQ t: 

[ p/ZQ, X/Z, ] Pq = Pi 

[ Y/Z 0 , r/Z 1 ]P 0 = P 2 

Indeed, no matter how r and p are related, only one case of the definition applies: for example, 
one cannot have both r inQ p and p inQ r, nor both p inQ r and r ink P- 

Lemma 5.1 (Type Generalization) 

Let <7i,<72 be two types such that [t/X](T[ = [p/Y]a 2 for some types r and p. Assume that k 
is given either by r ink pfor k > 0, or p ink T fo r k > 0 and not the previous case. Let h -2 k . 
Given fresh type variables Zq, .. . , Zh, there exists a type <t 0 that is a Zq, . . . , Zh- generalizer 
of a 1 and a 2 . 

Proof: Let a = [r/X]ai = [p/Y]a 2 and perform the following markings: 

• Mark in a those occurrences of r that derive from a\ by a [t/X] substitution. 

• Mark in a those occurrences of p that derive from a 2 by a [p/ Y] substitution. 
Consider first the case where r ink pfork> 0. 

Observe that some of the marked rs may appear in a marked p. 
Construct then <t 0 from a by the following procedure: 
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1. Replace by Zq all marked rs that do not occur in a marked p. 

2. Consider now a marked p, possibly containing marked rs. 

Let pf be the corresponding X -context in p for the marked rs. (If there are no marked 

rs, this will be pf = p). Replace the marked p by Z{. 
In the alternative case, p ink r for A; > 0 and not the previous case, observe that some of 
the marked ps may appear in a marked r. Then, apply the dual construction procedure, 
where the roles of p and r in steps 1 and 2 are interchanged, and tJ , the y-contexts for p 
in r, are used instead of pf , the X -contexts for r in p. | 

In the following lemma, we show that, once fresh variables Zo,...,Zh are fixed, then the 
generalizer of two types is unique. This lemma makes explicit use of the substitution 
convention, i.e., that X, Y g" FV(t) U FV(p), without which it would fail. 

Lemma 5.2 (Uniqueness of Type Generalizer) 

Let (T[,a2 be two types such that [t/X](T[ = [p/Y]a2 for some types r and p. Assume 
that k is given either by r ink P for k > 0, or p ink t for k > 0 and not the previous case. 
Let h = 2 h . Given fresh type variables Zq, ... , Zh, the Zq, ... , Zh- generalizer of G\ and <t 2 is 
unique. 

Proof: Assume first that r ink P for k > 0. 

Let <j 0 and a' 0 be two Zq, ... , Z^-generalizers of cr\, <t 2 . Then, by definition, 

[X/Z 0 ,pf/Z u ...,pf/Z h ]a 0 = ux = [X/Z 0 ,pf/Z u ...,pf/Z h ]a' 0 (1) 
[t/Z 0 , Y/Z u ..., Y/Z h ]a Q = a 2 = [ r/Z Q , Y/Z u ..., Y/Z h ]a' Q (2) 

with X and Y not free in <r 0 or a' 0 . We will show that <t 0 = a' 0 by induction on <t 0 . 
Subcase: Assume that <t 0 = Zq. Then, (1) and (2) become 
X = a, = [X/Z Q ,pf/Z u ...,pf/Z h ]a' Q 
r = <7 2 = [ t/Z 0 , Y/Z u ..., Y/Z h ]a' 0 

We now consider the possible choices for a' Q . Clearly, a' Q cannot be X since X ^ FV(a' Q ). 
Nor can a' 0 be r since then, (1) becomes X = cr\ = r but, by the substitution convention, 
X ^ FV(t). Further, a' Q cannot be Z{ for some i - 1 . . . h, because then (2) becomes 
r = <t 2 = Y but, by the substitution convention again, Y ^ FV(t). The only choice is 

°0 = Zq = <7 0 . 

Subcase: Assume that <t 0 = Z{ for some i = 1 . . . h. Then, (1) and (2) become 
pf = (Tj = [X/Z 0 ,pf/Z u ...,pf/Z h ]a' 0 
Y - a 2 - [t/Z 0 , Y/Z u ..., Y/Z h ]a' Q 
First, <7q cannot be Y since Y $ FV(a-' 0 ). Furthermore, a' 0 cannot be pf since, for i = 1, 
(2) becomes Y = a 2 = pf = p but, by the substitution convention, Y ^ FV(p), and, for 
i = 2 . . . h, X G FV(pf) but X $ FV(a' 0 ). Also, a' 0 cannot be Zq since then, (2) becomes 
Y = <t 2 = r but, by the substitution convention again, Y $ FV(t). Similarly, a' Q cannot be 
Zj for some j = 1 . . . h and j ^ i since then, (1) becomes pf = ai - pf but pf ^ pf for 
i ^ j. The only choice is a' 0 = Z{ - <t 0 . 
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Subcase: Assume that <t 0 = Z ^ Zi for i = 0 . . . h. Then, (1) and (2) become 
Z = (Tj = [X/Zo,p?/Z l ,...,p%/Z h ]tr' 0 

z = <r 2 = [ t/z 0> y/Zx,..., y/^K 

Since X and Y are not free in <t 0 , then Z ^ X and Z ^Y and, moreover, cr', cannot be 
for any z = 0 . . . h. The only choice is a' 0 = Z = <t 0 . 
Subcase: Assume that <t 0 = a — > /x. Then, (1) and (2) become 

[X/Z 0 ,pX/Z 1 ,...,pX/Z h ]((T^ n) = (Tj = [X/Zo^f/Zi,...,^/^]^ 

[ t/z 0> y/Zi,..., y/^](<7^/x) = <7 2 = [ t/z 0> y/^!,..., y/^K 

Remark that cr', cannot be Z; for any z = 0 . . . h since, then, a — > type would be on the left 
of (1) and (2) but a type variable would be on the right (X in (1) and Y in (2)). So, a' Q must 
be of the form a' — > with <r, <t' and /x, /x' satisfying equations similar to (1) and (2). By 
induction, a - a' and /x = Hence, <7q = <r' — > /x' = <r — > /x = <t 0 . 

Subcase: Assume that <r 0 = VZ.cr. Then, (1) and (2) become 

[X/Z 0 ,/>f/Zi,...,^/^](VZ.<7') = (Ti = [X/Z Q ,p?/Z l ,...,pX/Z h ]tr' 0 
[t/Z 0 , Y/Z u ..., Y/Z h ] QtZ.tr') = a 2 = [ r/Z 0 , Y/Z u ..., Y/Z h ]a' Q 
As with the previous case, cr', cannot be Z; for any i = 0 . . . h. So, a' 0 must be of the form 
MZ.a' . By induction, <r = a'. Hence, a' Q = MZ.a' = MZ.a = <t 0 . 

Treat dually p ink t for k > 0 and not the previous case. | 



Lemma 5.3 

Let a\, <t 2 , p\, /x 2 be types such that [r/X]a\ = [/o/y]<T 2 awe? [r/X]/xi = [/?/y]/x 2 . Assume 
that k is given either by r ink pfor k > 0, or p ink t for k > 0 and not the previous case. Let 
h — 2 k . Given fresh type variables Zq, . . . , Zh, let <t 0 and p,Q be the Zq, . . . , Zh- generalizes 
ofa[, <t 2 fl?i<i /xi, /X2, respectively. Then, for any Z different from Zq, . . . , Zh, [pq/Z](Tq is f/ie 
Zq, . . . , Zh-generalizer of [p,\/Z]ai and [/x 2 /Z]<7 2 . 

Proof: by expanding crj , <r 2 and /xi , /x 2 in terms of their generalizers. 
Lemma 5.4 (Generalization of Declarations) 

Let Ti , r 2 be two sets of declarations such that [t/X]T[ = [p/Y]T2- Assume that k is given 
either by r ink P for k > 0, or p ink T fo r k > 0 and not the previous case. Let h = 2 k . 
Given fresh type variables Zq,... , Zh, there exists a set of declarations Tq that is a unique 
Zq, .. . , Zh-generalizer ofT\ and T 2 . 

Proof: Since [t/X]T\ = [/?/yjr 2 , then Ti and T 2 must declare the same term variables. 
Thus, we can assume that ri = xi : a\, . . . , x n : (t\ and r 2 = X{ : a\, ... , x n :a^ 
with [r/X]aj = [p/Y]trf for i = 1 . . . n. 

Furthermore, by assumption on [t/X]Ti = [p/Y]Y2, the substitution convention applies 
to each [r/X]a} = [p/Y]af. 

So, for i = 1 . . . n, construct the unique Zq, ... , Z^-generalizer af of a- and <r?. 

Then, Fq = x\ : a®, ... ,x n :a^ is the unique Zq, ... , Z^-generalizer of Ti and T 2 . | 
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The next theorem is the main result of this section. It constructs a well-typed generalizer 
of two terms living in two different types. Uniqueness of type generalizers turns out to be 
essential in the proof (see the — >-elim case). The point to note is not just that we can construct 
a generalizer for Mi and Mi, but that we can construct one that is well- typed, and that lives in 
the type generalizer of the types of M\ and M%. 

Theorem 5.5 (Term Generalization) 

Let T[ h M[ : ai and r 2 h M 2 : <r 2 be such that [t/X]T[ = [p/Y]T2 and 
[t/X]M[ = [p/Y]M2 for some types r and p. Assume that k is given either by r ink P 
for k > 0, or p ink t for k > 0 and not the previous case. Let h = 2 k . Given fresh type 
variables Zq, . . . , Zh, there exist a set of declarations Tq, a term Mq, and a type ctq that are 
unique Zq, .. . , Zh- generalizers of T\, Y2; M\, M2; and ai, <r 2 , respectively, and such that 
T 0 h M Q : a 0 . 

Proof: Construct r 0 , Mq, <t 0 by induction on the derivation of Y\\- M\ : a\. 

Observe first that [r/X]ai = [p/Y]a2 since [t/X]M\ = [p/Y]M2 must live in a unique 
type. Also, that by assumption on either [t/X]Fi = [p/Y]F 2 or [t/X]M\ = [p/Y]M 2 , 
the substitution convention applies giving X, Y ^ FV(t) U FV(p). 
(In the proof, we will write just "generalizer" instead of "Zq, ... , Z^-generalizer"). 

Case: Assume that T\\- M\ : ai by a variable declaration in Ti. 
Then, M\ = x and x:cr\ 6 T\. 

From the assumption [t/X]M\ = [p/Y]M2, we obtain M2 = x. 
Furthermore, because T 2 h M2 : <r 2 , then x:a2 G r 2 . 
Take now Tq to be the unique generalizer of Ti , T 2 by Lemma 5.4, 
and ctq to be the unique generalizer of ai , <r 2 by Type Generalization (Lemma 5.1). 
Observe that, by construction, x :<r 0 £ To, from which Tq\- x : <r 0 . 
Since x is clearly the only generalizer of Mi = x and M 2 = x, take Mq = x. 
Case: Assume that Ti h Mi : ai is derived by — >-intro. 

Then, Mi = \x:p,i.M[ and ai = p,i — > pi with Ti,x:p,i h M[ : p\. 
From [t/X]Mi = [p/Y]M 2 , we obtain M 2 = Aa;:/x 2 .M 2 
with [r/X]fii = [p/Y]fi 2 and [t/X]M[ = [p/Y]M^. 

Furthermore, because T 2 h M 2 : <r 2 , then <r 2 = p, 2 — > Pi and r 2 , x : /x 2 h M 2 : /? 2 . 
Consider now Ti,x:m h M[ : pi and T 2 , x :/x 2 h M 2 : /? 2 . 

By induction, there exist unique generalizers: T' Q of (T\,x : /xi),(r 2 ,a; : /x 2 ); M' Q of 
M[, M 2 ; and p 0 of pi, p 2 , such that r(, h M ( , : p 0 . 

But, since generalizers of types and sets of declarations are unique, then r(, must be 
r 0 , x : p,Q where To and p,Q are unique generalizers of Ti , T 2 and /xi , /x 2 , respectively. 
So, in fact, Tq, x:plq\- Mq : po, from which, by ^--intro, To h Xx:p,q.Mq : p,Q — > /?o- 
Clearly, Xx-.pLQ.M^ and /xo — > /»o are generalizers of Mi,M 2 and crj,^. 
Moreover, /x 0 — > /»o is unique by the uniqueness of type generalizers, and Aa; : plq.M'q is 
unique because any other generalizer of Mi, M 2 would be of the form Aa; : p.' Q .M" giving 
further generalizers, p! Q and M", of m, /x 2 and M[,M' 2 , which is impossible. 
Hence, take Mq = \x:p,Q.M' Q and <t 0 = /xq — > />o- 



December 1992 



Digital PRL 



The Genericity Theorem 



13 



Case: Assume that F\ h M\ : a\ is derived by — >-elim. 

Then, M 1 = M[N[ with H h M[ : p x -> <7i and F 1 h N[ : p x . 
From [t/X]Mi = [p/Y]M 2 , we obtain M 2 = M' 2 N' 2 
with [t/X]M[ = [p/Y]M{ and [t/X]N[ = [p/Y]N!,. 

Furthermore, because T 2 h M 2 : <r 2 , then r 2 h M 2 : /? 2 — > <r 2 and r 2 h JV 2 : /? 2 . 
Consider now i"i h N[ : p\ and r 2 h JV 2 : /? 2 . 

By induction, there exist unique generalizers: T 0 ofri,r2; N[ } of N[, N 2 , and 
/o 0 of /o 2 , such that r 0 h iV/, : /o 0 . 

Consider also Ti h M{ : p\ — > <7i and r 2 h M 2 : /? 2 — > 02 • 

By induction, there exist unique generalizers: of M[,M 2 and //of 

pi -> <t\, p 2 -> <t 2 , such that r 0 h M ( , : 

But by the uniqueness of type generalizers, p' must be po — > <r 0 , where /?o an d 0o are unique 
generalizers of p l: p 2 and <7i , <r 2 , respectively. 

Thus, we have r 0 h Mq : />o — > 0o and To h JVq : /?o- So, by — >-elim, To h M'qN'q : <r 0 . 
Since MqNq is clearly a generalizer of M\ , M 2 , with uniqueness proven as in the previous 
case, take M 0 = MqNq. 
Case: Assume that T\ h M\ : <7i is derived by V-intro. 

Then, Mi = XZ.M[ and a { = VZ.pi with Ti h M[ : p\, and Z not free in the type of 
any free term variable in M[ (by the side-condition on V-intro). 

From [t/X]Mi = [p/Y]M 2 , we obtain M 2 = \Z.M' 2 with [t/X]M[ = [p/Y]M^. 
Furthermore, because T 2 h M 2 : <r 2 , then <r 2 = \/Z.p 2 and T 2 h M 2 : p 2 
with Z not free in the type of any free term variable in M 2 . 
Consider now h M[ : pi and T 2 h M 2 : p 2 . 

By induction, there exist unique generalizers: r 0 of Ti , T 2 ; Mq of M[ , M 2 ; and 
po of m, p 2 , such that To h Mq : po. 

Observe now that Z is not free in the type of any free term variable in Mq, since, by the 
definition of generalizer, M ( ' contains exactly the free term variables of M[, M 2 . 
Thus, we can apply V-intro to To h M ( ' : po to obtain To h \Z.M' Q : \/Z.po. 
Clearly, XZ.Mq and VZ./xo are generalizers of Mi , M 2 and <7i , <r 2 , respectively. Their 
uniqueness follows as before. Hence, take Mo = XZ.M' Q and <r 0 = \/Z.pQ. 
Case: Assume that Ti h Mi : a\ is derived by V-elim. 

Then, Mi = M[p x and a x = \ji\jZ\pi with Ti h M{ : VZ./oi. 
From [r/X]Mi = [p/Y]M 2 , we obtain M 2 = M 2 p 2 
with [r/X]M{ = [p/YW 2 and [r/X]/xi = [p/Y]fi 2 . 

Furthermore, since T 2 h M 2 : <r 2 , then T 2 h M 2 : VZ.p2 and <r 2 = [^2/^]/f2- 
Consider now F 1 h M{ : VZ./oi and r 2 h M 2 : VZ.p 2 . 

By induction, there exist unique generalizers: r 0 of Ti, T 2 ; M ( ' of M[, M 2 ; and p' of 
yZ.p u yZ.p 2 , such that r 0 h M(', : p' . 

By unicity of type generalizers, p' = VZ.po, where po is the generalizer of pi,p 2 . 
Thus, we have r 0 h M ( , : VZ.po, from which, by V-elim, To h Mq/xo : [p.o/Z]po 
where /xo is the unique generalizer of /xi, /x 2 by Type Generalization (Lemma 5.1). 
Clearly, Mq/xo is a generalizer of Mi , M 2 , with uniqueness proven as before. 
Furthermore, by Lemma 5.3, [po /Z]po is the unique generalizer of a\ = [p\ /Z]p\ , 
<t 2 = [p 2 /Z]p 2 . Hence, take M 0 = Mq/x 0 and <t 0 = [p 0 /Z]p 0 . I 
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6 Weak Genericity of F-equality 

In this section, we prove a weak form of Genericity that will be used in the final proof. The 
weakness or asymmetry arises because =p is used in the premise instead of -p c - Generalizers 
are a key tool in the proof. We first need the following lemma about simultaneous substitutions. 



Lemma 6.1 

Given type a, if [n/X\, . . . , T n /X n ] a = [pi/X\, . . . , p n /X n ] a and r» ^ pi for some 
1 < i < n, then X; is not free in a. 

Proof: by induction on the structure of a. Note that the substitution convention is used to 
assume that Xi , . . . , X n are not free in t\ , . . . , r n , p\, . . . p n . | 



Theorem 6.2 (Weak Genericity of F-equality) 

Let r h Mi , M 2 : a. If [r/X]Mi - F [t/X]M 2 for some type r, then M t - Fc M 2 . 

Proof: Let M[ and M' 2 be the normal forms of My and M 2 . 
Then, F h M[, M[ : a since normalization preserves typing. 

Further, since reduction is type-substitutive 1 , and since type substitution preserves normal 
forms, then, from [t/XWi =f [t/X]M 2 , we obtain [t/X]M[ = [r / X]M 2 - 
We now apply Term Generalization to 

[t/X]M[ = [t/XWi 0) 

We are in the situation r = p so the first case of the definition of generalizer applies, i.e. 
h = \. Thus, choose fresh type variables Z$, Z\, Z 2 . 

By Term Generalization (Theorem 5.5), there exist unique Zq, Z\, ^-generalizers: To of 
T, T; Mq of M[,M' 2 \ and a Q of a, a, such that r 0 h M ( ' : <r 0 . 
By the definition of generalizer, we have 

[X/Z 0 , t/Z u X/Z 2 ]F 0 = T = [r/Z 0 , X/Z u X/Z 2 ]F 0 

[X/Z 0 , t/Z u X/Z 2 ]a 0 = a = [r/Z 0 , X/Z u X/Z 2 ]a Q 
Now, by the substitution convention applied to (3), X ^ FV(t). 

So, certainly, r ^ X. We can thus apply Lemma 6.1 to the above two equations to obtain 
Zq and Z\ not free in To and <7 0 . 

Hence, we can apply Axiom C* to M' Q for Zq, Z\ in the following: 
My - F M[ M[ is the normal form of M\ 

= [X/Z 0 ,t/Z 1 ,X/Z 2 ]M! ) M' q is the generalizer of M[,M^ 

=Fc[t/Z 0 ,X/Z u X/Z 2 ]M{ ) by Axiom C* 

= M 2 Mq is the generalizer of M[ , M 2 

-f M 2 M' 2 is the normal form of M 2 | 



'If M reduces to M' then [r/X]M reduces to [r/X]M' (cf. [Bar84, page 55]). 
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7 Quasi-Genericity of C*-equality 

This section shows that applications of Axiom C* preserve the type substitution structure of 
terms. That is, if Axiom C* is applied to a term of the form [t/X]M, then the result is a term 
of the form [t/X]N with M - c * N. We call this property Quasi-Genericity of C*-equality 
(since it resembles genericity), and the proof of this uses generalizers. 

We will write M = c * N if M and N are made equal by one application of Axiom C* only, and 
M - c * N if Axiom C* is applied zero or more times. Clearly, if M = c * N, then the single 
application of Axiom C* may have been made either to a proper subterm of M, or to the entire 
term M. Note, however, that an application of Axiom C* to a term cannot always be split into 
applications to subterms, as the example of Section 4 shows. 

Theorem 7.1 (Quasi-Genericity of C*-equality) 

// [t/X]M = c * N' then there exists a term N such that M = c * N and [t/X]N = N'. 

Proof: Construct N by induction on the number of C* -applications in [t/X]M - c * N'. 
Clearly, if there are 0 applications, i.e., [t/X]M = N', then take N = M. 

We consider here only the case, [t/X]M = c * N', as the inductive case is obvious by 
transitivity. 

Assume thus that [t/X]M = c * N'. Then, as remarked above, Axiom C* is applied either 
to a proper subterm of [t/X]M, or to [t/X]M itself. 

If Axiom C* is applied to a proper subterm of [t/X]M, the theorem is proven by 

straightforward induction on the structure of M. 

Consider then the case when Axiom C* is applied to [t/X]M itself. 

We assume, with no loss of generality, that, by variable renaming, X FV(N'). 

Then, by the definition of Axiom C*, there exists a term M', types p, p', and a type variable 

Y, such that 

[t/X]M = [p/Y]M' = c * [p'/Y]M' = N' (4) 

where, for T h M : a, we have T h M' : a', and Y not free in T nor a'. 

Since Axiom C* is actually applied, then Y G FV(M') and, thus, X g" FV(p'), else X 

would be free in N', against the assumption. 

We now apply Term Generalization to [t/X]M = [p/Y]M'. 

Case: Assume that r ink pfork> 0. 

Choose fresh type variables Zq,.. . ,Zh where h-2 k . 

By Term Generalization (Theorem 5.5), there exist unique Zq, . . . , Z^-generalizers: To of 

T, T; M Q of M, M'\ and a Q of a, a', such that T 0 h M 0 : <r 0 . 

Observe now that, by the definition of generalizer, we have 

T = [t/Z 0 , Y/Z u Y/Z h ]T Q and a' = [r/Z 0 , Y/Z u Y/Z h ]a 0 

But since we also have Y not free in T or a', then Z\,...,Zh cannot be free in To or <r 0 . 

Hence, since T 0 h M 0 : <t 0 , we can apply Axiom C* to M 0 for the variables Z\,...,Zh. 
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Thus, if we take 

N = [X/Z 0 , p'/Zu ...,p'/Z h ]M 0 
we get the desired result, as 

M = [X/Zo, pf jZ\ , ... , p* /Z h ] M 0 Mq is the generalizer of M, M' 

= c . [X/Zq, p'/Zi , p'/Z h ] M 0 by Axiom C* 

= N 
and 

[t/X] N = [r/Z 0 , p'/Zi , p'/Z h ] M 0 since X # FV(p') 

= [p'/Y] [t/Z 0 , Y/Zi, ... , Y/Z h ] M 0 by rearranging substitutions 
= [p'/Y] M' M 0 is the generalizer of M, M' 

= N' by (4) 

Case: Assume that p ink r for A; > 0 and the previous case does not apply. 
Choose fresh type variables Zo,.. . ,Zh where h-2 k . 

By Term Generalization (Theorem 5.5), there exist unique Zo, ... , Z^-generalizers: To of 

T, T; M Q of M, M'\ and a Q of a, a', such that r 0 h M 0 : a 0 . 

Observe now that, by the definition of generalizer, 

we have F = [Y/Z 0 , r/Z u tJ/Z 2 , ...,T^/Z h ]T 0 

and a> = [Y/Z 0 , t/Z u r 2 Y /Z 2 , T^/Z h ]a 0 . 

But, we also have that Y is not free in F or a', 

so Zq, Z 2 , . . . , Zh cannot be free in To or <t 0 . 

Hence, since r 0 h Mq : <t 0 , we can apply Axiom C* to M 0 for Zo, Z 2 , . . . , Zh- 
Let t[ = [p'/Y\rJ . Then, if we take 

N = [p'/Zo, X/Z u t' 2 /Z 2 , ...,ri/Z h ]M 0 

we get the desired result, as 

M = [p/Z 0 , X/Zi, X/Z 2 , X/Z h ] M Q M Q is the generalizer of M, M' 

= c . [p'/Zo, X/Zy , t' 2 /Z 2 , r h /Z h ] Mo by Axiom C* 

= N 
and 

[t/X] N = [p'/Zo, r/Zy , t' 2 /Z 2 , r h /Z h ] M 0 since X # FV(p') 
= [p'/Y] [Y/Zo, t/Zu tX/Z 2 , rl/Z h ] M 0 

by rearranging substitutions 
= [p'/Y] M' Mo is the generalizer of M, M' 

= N' by (4) | 

The next theorem is another weak form of Genericity, with C* -equality in the premise instead 
of Fc-equality. Quasi-Genericity is used in the proof. 
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Theorem 7.2 (Weak-Genericity of C*-equality) 

LetT h Mi,M 2 : a. If[r/X]Mi = c * [r / X]M 2 for some type r, then Mi - Fc M 2 . 

Proof: Apply Quasi-Genericity of C*-equality (Theorem 7.1) to [t/X]M\ = c * [t/X]M 2 . 
Thus, there exists a term N such that Mi - Fc N and [t/X]N = [t/X]M 2 . 
Observe that, since Mi - Fc N, then N must live in a, the type of Mi and M 2 . 
Apply now Weak Genericity of F-equality (Theorem 6.2) to [t/X]N = [t/X]M 2 . 
Then, N - Fc M 2 . Hence, Mi- Fc N- Fc M 2 . | 

Note that the property of preserving type substitution structure does not hold for F-equality. 
Backward (3 2 reduction causes problems as witnessed by the following counter-example. 
Assume x has type VY.Y. Take M = xX with r = cri — > <t 2 and JV' = (XZ.x(Z — > <t 2 ))(7 1 . 
Then, 

[r/X]M = asCo-i -> ^) /3 2 ^ (AZ.ic(Z -> <7 2 )) ( t 1 = N' 

Now, since r = ai — > <t 2 does not occur in JV', then any N such that [t/X]N = N' cannot 
contain X free. Thus, N = [t/X]N = N', and N has type r. But M has type X. Hence, 
M = JV is impossible since they live in different types. 

However, all forward reductions preserve type substitution structure, as does backward rj 2 
reduction. Proofs of these are straightforward. 

Fact 7.3 

If[r/X]M — > F N' then there exists a term N such that M — > F N and [t/X]N = N'. 
Fact 7.4 

If[r/X]M m < — N' then there exists a term N such that M m < — N and [t/X]N = N'. 

8 Commutativity of C*-equality with Reduction 

This section describes the commutativity of C* -equality with reduction. It turns out that 
C* -equality commutes with /3 2 , and 771 reductions but not with rj 2 reduction. To see this 
last point, take M of type VZ.a with Z g FV{cr), and X fresh. Then, because XX. Mr does 
not 77 2 -reduce to M, we cannot complete the following diagram: 



XX.MX = c XX.Mt 
M 
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We need the following lemma about the substitutivity of C* -equality. 



Lemma 8.1 (Substitutivity of C*-equality) 

If Mi = c * M 2 and Ni = c * N 2 then [N\/x\M\ = c * [N 2 /x]M 2 and [t / X~\M\ = c * [t/X]M 2 . 

Proof: An easy induction on the structure of Mi . | 

We now prove that C*-equality commutes with /3i/3 2 rji reduction, first for the one-step case, 
then for the multi-step case. Note that, in the one-step case, a multi-step C* -equality completes 
the commuting diagram. 



Lemma 8.2 (One-Step Commutativity) 



If 



M = c * N 
l 



then there exists a term N' such that 



M 
1 



0102V1 



M 



N 



0i0im 



M' = r . N' 



Proof: By case analysis of M --^p t p 2Vl M' and M = c * N. 

Since f3i(3 2 rji is substitutive, we can assume that the reduction is applied directly to M, 
ignoring the cases where it is applied to a subterm or superterm of M. 

Case: (Xx: p,.M\)M 2 ~-^p l [M 2 /x]Mi. 

Subcase: Assume that Axiom C* is applied to Mi . 

Then, Mi = c * N\ and (Aa; : fi.Mi)M 2 = c * (Xx: fi.Ni)M 2 . 

Clearly, (Xx :fi.Ni)M 2 -U ft [M 2 /x]Ni. 

And, by Lemma 8.1, [M 2 /x]Mi = c * [M 2 /x]Ni. 

Therefore, take N' = [M 2 /x]Ni. 
Subcase: Assume that Axiom C* is applied to M 2 . 

Then, M 2 = C *N 2 and (Aa; \fi.Mi)M 2 = c * (Xx: fi.Mi)N 2 . 

Clearly, (Xx :fi.Mi)N 2 -U ft [N 2 /x]Mi. 

And, by Lemma 8.1, [M 2 /x]Mi = c * [N 2 /x]Mi. 

Therefore, take N' = [N 2 /x]Mi. 
Subcase: Assume that Axiom C* is applied to Aa; : fi.M\. 

Then, by the definition of Axiom C*, there exist i/,Ni,p, p', Y such that 

Xx:fi.Mi = [p/Y](Xx:v.Ni) K* [p'/Y] (Xx : v.Ni) 
with/x = [p/Y]u and Mi = [p/Y]N u 
and r h Aa; : v.Ni : v — > a, and Y not free in T or v — > a. 
Clearly, Y is also not free in v. Hence, p, = [p/Y]u = v. 
Moreover, Y is not free in a, the type of iVi . 

Therefore, Axiom C* is applied to Mi = [p/Y]Ni, and that subcase applies. 
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Subcase: Assume that Axiom C* is applied to (Aa: : p.M\)M 2 . 

Then, by the definition of Axiom C*, there exist i/, N\, N 2 , p, p', Y such that 

{\x:n.Mi)M 2 = [p/YmXx:v.N 1 )N 2 ) k* [p'/Y] ((Xx : v.N v )N 2 ) 

with/x = [ /0 /y] ! /, M x = [p/Y]N u M 2 = [p/Y]N 2 , 

and r h (Aa; : v.N\)N 2 : a, and Y not free in T or a. 

Since r h (Aa: : v.N\)N 2 : a, then F h [N 2 /x]Ni : a. 

Axiom C* can thus be applied to [N 2 /x']N\. 

Hence, take N' = [p 1 /Y][N 2 /x]N u for then 

[M 2 /x]Mi = [p/Y][N 2 /x]Ni since M x = [p/Y]Ni and M 2 = [p/Y]N 2 

= c * [p'/YWi/xWi by Axiom C* 
and [p'/Y] ((Xx : v.Ni)N 2 ) [p' /Y][N 2 /x]N u since fa is substitutive. 

Case: (XX.Mi)u -Up 2 [p/X]M h 

Subcase: Assume that Axiom C* is applied to Mi . 

Then, M { = c * Ni and (AX.Mi) p = c * (XX. N^) p. 

Clearly, (XX.N^p -U^ [p/X]N h 

And, by Lemma 8.1, [p/X]M\ = c * [p/X]N h 

Therefore, take N' = [fi/X]N h 
Subcase: Assume that Axiom C* is applied to XX. M\. 

Then, by the definition of Axiom C*, there exist N[,p,p',Y such that 

XX. Mi = [p/Y](XX.N 1 ) K* [p'/Y](XX.N 1 ) 

with Mi = [p/Y]N u and T h AX.JVj : yx.tr, and Y not free in T or yx.tr. 
Clearly, Y is not free in a, the type of N\. 

Axiom C* is therefore applied to Mi = [p/Y]Ni and that subcase applies. 
Subcase: Assume that Axiom C* is applied to (XX.M])p. 

Then, by the definition of Axiom C*, there exist N[,i/,p, p', Y such that 

(XX.M,)p = [p/YUfrX.Ndv) = c * {p'/YmXX.N^v) 

with M { ee [p/Y]Ni and p = [p/Y]u, 

and r h (XX.Ni)v : a, and Y not free in F or a. 

Since F h (XX.N x )v : a, then T h [z//X]JVi : a. 

Axiom C* can thus be applied to [v/ X~\N\. 

Hence, take N' = [p' /Y][u/ X]N U for then 

\p/X]Mi ee [p/Y][v/X]Ni since p = [p/Y]v and M x = [p/Y]Ni 
= c * [p'/Y][v/X]Ni by Axiom C* 

and [///y]((AX.JVi)z/) -U ft [p'/Y][v/X]N lt since /3 2 is substitutive. 

Case: Aa; : p. Mix —> m My with a; not free in Mi . 

Subcase: Assume that Axiom C* is applied to Mi. 
Then, Mi - c * N\ and Aa; :p.M\x - c * Xx:p.N\x. 

Now, since x is not free in Mi and since Axiom C* does not affect term variables, 
then x is also not free in N\. Thus, Aa; : p.N\x — > 7?1 N\. 
Therefore, take N' = N\. 
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Subcase: Assume that Axiom C* is applied to Mia;. 

Then, by the definition of Axiom C*, there exist N[,p,p',Y such that 
M x x = [p/Y](N lX ) = c * [ P '/Y](N lX ) 

with Mi = [p/Y]N\, and r, x :p h JVia; : a, and Y not free in T, a: :/z or a. 
Clearly, Y is also not free in p — > <r, the type of iVi. 
Axiom C* is therefore applied to Mi = [/?/ Y"]iVi and that subcase applies. 
Subcase: Assume that Axiom C* is applied to Aa: : p.M\x. 

Then, by the definition of Axiom C*, there exist i/,N[,p, p', Y such that 

Xx:p.Mix = [plY~\(\x:v.N\x) = c * [p'/Y] (Xx : v.N\x) 

with p = [p/Y]v and Mj = [p/Y]N u 

and r h Aa; : v.N^x : v — > a, and Y" not free in T or z/ — > a. 

Y is therefore not free in v, so, /x = [p/Y]u = v. 

Also, Y is not free in a, the type of JVia;. 

Axiom C* is thus applied to Mia; = [p/Y](N[x), and that subcase applies. | 



Theorem 8.3 (Commutativity) 

If M = c * N then there exists a term N' such that 



M' 



M = c . N 

PiP2Vi\ \P1P2V1 

M' = r * N' 



Proof: By decomposing the multi-step C*-equalities and /3i/327?i-reductions into single steps, 
and using One-Step Commutativity (Lemma 8.2) to complete the following diagram: 



M 
1 



0102V1- 



N 



0i02m 



0i02m 



1 1 



N\\ = c *...=c* -^1 



0i02m 



0i02m 



M' 2 = c * ■■■ K* N 2j 



0i02m 



M' = r 



1 

■ 0102V1 

= r * N' 
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9 The Genericity Theorem 

Finally, in this section, we prove the Main Lemma that leads to the Genericity Theorem. We 
first need the following lemma: 

Lemma 9.1 (772-postponement) 

If M — > F W then there exists a term M" such that M — >^ 2Th M" — > m M'. 

Proof: Easy; see [BS93]. | 

Lemma 9.2 (Main) 

Let r h M, N : a. If [t/X]M - Fc [t/X]N for some type r, then M - Fc N. 

Proof: Observe first that the chain of Fc-equalities from [t/X]M to [t/X]N can be written: 

[t/X]M = f M'l = c . M'l = F M" = c . ... = F M'^_ x = c . M'Ji = F [r/X]N 

that is, as alternations of F-equalities and C* -equalities with the initial and final equalities 
being F-equalities. These initial or final F-equalities may be just trivial syntactic identities 
if, in fact, a C* -equality starts or ends the chain. 

Case: The chain consists entirely of F-equalities, i.e., [t/X]M -p [t/X]N. Then, by Weak 
Genericity of F-equality (Theorem 6.2), we have the result M -p c N. 

Case: The chain consists entirely of C* -equalities, i.e., [t/X]M - c * [t/X]N. Then, by Weak 
Genericity of C*-equality (Theorem 7.2), M - Fc N. 

Case: There is at least one (non-trivial) C* -equality and one (non-trivial) F-equality. We 
proceed with a series of transformations on the chain, starting with the first three links: 

[t/X]M = f M'l = c * M'l = F M'l 

First, as a consequence of the equational Church-Rosser property for F, transform the 
F-equalities into reductions. Then, apply 772-postponement (Lemma 9.1) to the reduction 
sequence from M". Thus, there exist terms M[, M3, N[ such that: 
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Then, by Commutativity of C*-equality with reduction (Theorem 8.3), there exists 

M' 2 such that 

[t/X]M M[' = c . M'{ M" 




The Church-Rosser property can then be used to complete the diamond between M' 2 and 
[t/X]M M[' = c * Mil M'l 




In this way, the original three links from [t/X]M to M" can be replaced by; 
[t/X]M M[ = c * M' 2 M'l 




Repeat this transformation down the rest of the chain by sets of three consecutive links of 
the form •= F «= C *«= F « continuing with M' 2 - F M" = c * M" =f M". Note that 
the first link of each set coincides with the last link of the previously modified set. At the 
end, the transformed chain will look like: 



[t/X]M M[ = c . M' 2 ... M' n _ x = c . M' n [t/X]N 




N[ N' 



where each left-pointing arrow, except for the final one, consists of forward 772 reductions. 
The final left-pointing arrow, and all the right-pointing ones, consist of forward /3i/327?i7?2 
reductions. 
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From here on, we work with the transformed chain. Consider now the start of it: 
[t/X]M M[ = c * M' 2 




— By Fact 7.3, there exists JVi such that N[ = [t/X]Ni and M — > F N\. 

— By Fact 7.4, there exists Mi such that M[ = [t/X]Mi and Ni V2 < — M\. 

— By Quasi-Genericity of C* -equality (Theorem 7.1), there exists M 2 such that 
M' 2 = [t/X]M 2 and M x = c . M 2 . 

Thus, we have 

[t/X]M [t/X]M { = M[ = c * M' 2 = [t/X]M 2 





N[ = [t/XW, 

withM — > F N\ m < — M\ - c * M 2 . Hence, M =p c M 2 . 
Now, iterate this process along the chain from M' 2 = [t/X]M 2 . 

We thus "push" the type substitution [t/X] along the chain so that, eventually, for M' n , 
the penultimate term of the chain, there exists a term M n such that M' n = [r/X]M n and 
M -Fc M n . Apply then Weak Genericity of F-equality (Theorem 6.2) to the last link 
[r/X]M n = M' n = F [t/X]N. This gives M n = Fc N. 

Since M -f c M n , then M -f c N as required. | 



Theorem 9.3 (Genericity) 

LetTV M,N : VX.cr. If Mr - Fc Nt for some type r, then M - Fc N. 

Proof: Choose a fresh type variable Z. 

Then,rhMZ, NZ : [Z/X]a and [t/Z](MZ) = Mr = Fc Nt = [t/Z](NZ) 
Hence, applying the Main Lemma (Lemma 9.2), MZ -p c NZ. 

Observe that Z fresh means Z not free in the type of any free term variable in MZ or N Z. 

So, by V-intro, XZ.MZ and XZ.NZ are well-typed terms (of type VZ.[Z/X]a). 

Hence, by £ 2 , XZ.MZ = Fc XZ.NZ, and, by 772, M = Fc N. | 



10 Models 

In this section, we outline the validity of Axiom C in some relevant models. Details and 
further references about the model theory of system F may be found in [AL91] or [Hyl]. The 
reader may also see [LM91] for an introductory presentation of PER models and [GLT89] 
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or [CGW88] for models based on coherent spaces or dl-domains. These constructions provide 
the main concrete paradigms for the general semantics of impredicative Type Theory and, by 
this, they allow a more explicit understanding of the semantic problems we will mention at the 
very end. 

In short, in PER models, types are interpreted as partial equivalence relations (p.e.r.) on an 
arbitrary (partial) combinatory algebra (D, .), that is, on a model of (partial) Combinatory 
Logic. In other words, a type is a quotient of a subset of D modulo an equivalence relation. 
The terms of system F are interpreted as equivalence classes in these quotient sets. Given 
d G D, call [d]A the equivalence class of d in the p.e.r. A. Now, (D, .) yields a model of the 
type free A-calculus (D, ., [[-]), see [Bar84]. Set then er(M) for the term of system F with all 
types erased (e.g., er(Xx :r.Mp) = Xx.er(M)) and consider |[er(M)]]£, i.e., the interpretation 
in D, under term environment £, of the type-free term er(M). A result in [Mit86] (see 
also [CL91]) shows that the meaning in the PER model of a term M of system F is given by 
the equivalence class of the meaning of its erasure in the p.e.r. that interprets its type. More 
formally, if environment £' is obtained from £ by forgetting type information, 

[rhM:^ = [[er(M)]^] w 

It is then clear that PER models realize Axiom C: if Mr and Mr' live in the same type a, then 
their meanings are identical as er(Mr) = er(Mr'). 

As for dl-based models, we recall here only that these may be constructed over the category 
of coherent spaces and stable maps, as in [Gir86], or over proper dl-domains as in [CGW88], 
which we follow. Types then are dl-domains or, more precisely, in view of possibly free 
type variables, they are maps over dl-domains. Indeed, they may be understood as functors 
if one considers the subcategory DI L of dl-domains and just rigid embeddings as maps, as 
in [CGW88]. (The impossibility of viewing types as functors, in general, was discussed in 
the introduction, in view of the the (contra-) and (co-)variance of the — > functor.) In short, let 
F : DI L — > DI L be a functor. Then UF, the product functor meant to interpret impredicative 
second-order types, is simply the collection of uniform families (tx), where X ranges over 
dl-domains, such that tx G F(X) and tx = F(f) R ty for any dl-domain Y and any morphism 
/ from X to Y. Assume now that MX.a is such that X is not free in a. This means that a is 
interpreted by a constant functor F, with respect to X. Then F(f) R = F(f) = id always. In 
particular, take Y as the universal domain, i.e., any other may be rigidly embedded in it. Then, 
for any uniform family (tx) and any X, one has tx = ty in F(X). This is exactly the validity 
of Axiom C in these models. 

There are several ways to describe the general (categorical) semantics of system F. In order to 
give a general meaning to Axiom C, we follow the presentation by internal categories given 
in [AL91]. First, though, the naive, set-theoretic approach may guide our intuition. Let Tp be 
the collection of semantic types. A variable type is then a function F : Tp — > Tp. As usual, a 
product indexed over Tp is given by the set 

TIF = {/ : Tp -» UF | VX G Tp f(X) G F(X)} 



December 1992 



Digital PRL 



The Genericity Theorem 



25 



Then Axiom C corresponds to 

if / G UF and 3A MB F(B) = A, then 3a 6 A MB /(£) = a 

Or, also, ITF and A are set-theoretically isomorphic, when F is constantly equal to A. We 
know though that classical Set Theory does not yield models of impredicative Type Theory. 
However, models may be found as categories which are internal not to the category of sets 
and functions, but to more "constructive" ones, which enjoy the fundamental adjunction (Adj) 
below. Following [AL91], let c = (co, ci) be a category internal to a Cartesian Closed Category 
(ccc) E with all finite limits. Let c c ° be the category of internal functors. Then (E, c) yields a 
model of system F if c is an internal ccc and the (internal) product functor n : c c " — > c exists 
as the right adjoint of the (internal) diagonal functor K : c — > c c °, i.e., the functor that to each 
A associates the functor K A, which is constant A. In other words, 

(Adj) c c ° [#-,-] = c[_,n_] 

We claim that, among these models, exactly those which realize the following natural 
isomorphism 

(Const) c c °[K.,K.] £ c[_,_] 
are models of Axiom C. Indeed, by (Adj), (Const) implies, naturally in A, B, 

c[B,U(KA)] = c C0 [KB,KA] 3 c[B,A] 

This is equivalent, in these models, to the isomorphism H(K A) = A, i.e., to the intuitive 
set-theoretic meaning of Axiom C. A final remark: both the term model of system F, of course, 
and the retraction models (see [AL91]) do not realize Axiom C. 

The semantics of the Genericity Theorem raises some interesting issues. Observe that 

(GEN) 3tMt = Nt M - N 

is not an equation, but an implication between equations. Thus, a model M. of Fc does 
not need to realize (GEN), in the sense that 3t Mt = Nt may be true in the model but 
M = N is false. For example, PER models and dl-domains do not realize (GEN). Consider 
0, K : MX.X — > (X — > X). Take then a type r which has at most one element, for instance 
MX.X or MX.X — > X. Then, in both classes of models, Kt = Or, but, of course, K ^ 0. 
By generalizing this argument (see [Lon93]), models of relational parametricity also do not 
realize (GEN). This lack (so far) of models of (GEN) is in spite of the many models of Fc and 
the provability of the implication. Note that an understanding of the semantics is relevant, not 
only for model-theoretic reasons, but also for the extensions of system F which are relevant in 
practice. That is, actual polymorphic functional languages may be based on core calculi, plus 
possibly more equation schemes. Thus, the investigation of which equational theories realize 
(GEN), as an important property of polymorphic functions, is a further challenge. 
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